3-year Certificates Are Being Phased out as the industry embraces reduced SSL certificate lifetimes.
Last month the CAB Forum approved Ballot 193, which will see reduced SSL certificate lifetimes, as the maximum decreases from three years to two years.
This is being done to address the security and logistic issues inherent with long-life certificates. If you are interested in why this change is important, take a trip over to this article.
Given that this will impact how certificates are deployed and managed, we wanted to put together a quick and digestible summary of how this will impact those who use (or plan on using) 3-year SSL certificates.
First, the quick and simple changes:
- Effective March 1st, 2018 all new SSL certificates will be restricted to a maximum of 825 days (2 years + 3 months renewal buffer). This affects DV (Domain Validation) and OV (Organization Validation) certificates.
Prior to this date, CAs are allowed to issue 3-year certificates. Note that some may choose to discontinue these practices early.
- Effective now (as of April 20th, 2017), validation information needs to have been completed within 825 days of the issuance/re-issuance of your SSL certificate.Because this requirement comes into effect now, there will be some inconveniences for both existing and new 3-year certificate holders who need to reissue their certificate in its last year.
Those are the basics. Shorter-term certificates (1-year) are not affected by either of these changes.
Note that the 825-day maximum age for validation information is in effect now, which creates some confusing scenarios and can impact users who have shorter term certificates.
This means that if your validation was originally performed more than 825 days ago, it is now invalid and needs to be redone before you can receive a new certificate; same applies if you cross that 825-day limit. This affects new and existing certificates.
To make all of this easier to understand, we have created some scenarios and a description of how these new changes will affect you. More than one of these may (or could) affect you, so please skim all the scenarios:
Your practices/equipment require you to replace certificates are infrequently as possible, so you want to use 3-year certificates as long as possible.
You can receive a new 3-year certificate up until March 2018. This will allow you to have a 3-year certificate in production until 2021, but ONLY if you do not reissue your certificate after March 2018 when the new maximums take effect.
As mentioned above, there are sometimes security vulnerabilities or other industry changes out of your control which may require you to reissue a certificate. In some cases, such as the SHA-1 migration, you can choose not to reissue your certificate if you are okay with degraded treatment in web browsers.
Note that in the past, CAs have chosen to stop issuing products prior to the industry-mandated deadlines. This may mean that some CAs chose to stop issuing 3-year certificates before March 2018. Plan to check in later this year and do not wait till the last minute and assume a 3-year certificate will be available. If this happens we will contact our existing customers to let them know. If you use another provider/CA, check with them to see what their planned policy is.
You have an existing OV certificate and want to re-issue it.
Because the 825-day maximum for validation information is now in effect, you may need to re-complete validation when you re-issue your certificate.
This change took effect very quickly and has caused a large amount of existing validation information to suddenly expire. This affects both new and existing certificates.
If you are affected depends on when the validation of your certificate was originally completed. That date may not be apparent to you, because it is not necessarily the same as the start date of your certificate. This could effect a 1 or 2-year OV certificate as well.
If you have an existing 3-year certificate, you will need to revalidate if you reissue in the last year of its lifetime.
Validation is the process of proving the existence of your legally registered company. When your existing validation information expires, you will be required to re-do this process which will then be valid for the next 825 days.
You have an existing 3-year certificate (issued before March 2018) that needs to be reissued after March 2018.
From a technical perspective, reissuing a certificate is the same as issuing a new certificate. This means that after March 2018, ALL newly issued certificates (including reissues) must have a maximum validity of 825 days.
When you reissue your existing certificate after March 2018 it will be truncated to 825 days to meet the new requirements and you will permanently ‘lose’ the difference.
You have a DV certificate
Starting March 2018, DV certificates will now be limited to 825 days. Prior to this date, you can continue to get a 3-year certificate. However please read the first and third scenarios above to fully understand how you may be affected.
When you re-issue a DV certificate it is already common practice to re-validate domain ownership. This is a simple practice, which can be performed in a few minutes by setting up a DNS record, uploading a file to your server via FTP, or confirming an email.
You have an EV certificate
EV certificates are not affected by either of these changes. Because they meet the highest standards for identity, EV certificates are already limited to stricter maximums for both requirements.
EV certificates have a maximum of 27 months and validity information can only be reused for a maximum of 13 months. There are currently no planned reductions to these periods, however as the CAB Forum institutes more security-conscious requirements, EV certificates may be restricted to one year.
At this time, we are not aware of any changes to Symantec or Comodo’s product lines. However, they may choose to discontinue 3-year certificates ahead of the industry-mandated deadline, or impose other changes to deal with this shift. If and when this happens, we will notify all our customers and be in contact with those whose active certificates are effected.